[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** Also affects: flatpak (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: flatpak (Ubuntu Bionic) Status: New => Triaged ** Changed in: flatpak (Ubuntu Focal) Status: New => Triaged ** Changed in: flatpak (Ubuntu Focal) Status: Triaged => Confirmed ** Changed in: flatpak (Ubuntu Bionic) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Jeremy (or other Ubuntu people), are you able to mark this as also affecting Ubuntu focal and bionic? I can't find where to do that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** Changed in: flatpak (Ubuntu Mantic) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Jeff, that's just how Launchpad is configured. Sorry. But there is a better way to look for security issues in a package than trying to navigate Launchpad: https://ubuntu.com/security/cves?package=flatpak -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
The Ubuntu packages turned out to be safe, but administrators of high security environments should still reach out privately for an assessment done by adding a test repository. Please make this issue private, it's confusing for users, making my work harder. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
While I'm not fully familiar with how things are done here, is it really sensible that the "Fix Released" status prevents search on the main page from even finding this issue? We aren't far from the upstream fixes being available for a week already without any of the supported releases of Ubuntu getting a fix, and even the visibility of the problem is significantly limited. It's a sandbox escape vulnerability, therefore privilege escalation. Upstream took it seriously, as smcv mentioned there are even multiple fixed versions to choose from to update to, but regular users don't even get to know that they have been affected by a vulnerability marked with high severity upstream for so long. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
This also affects focal, bionic, and older LTS suites. If it's possible to update focal to 1.12.9 from the upstream 1.12.x stable branch, that would also resolve LP: #2063034 and LP: #2063035. There isn't much point in the upstream developers doing 1.12.x releases if distributions aren't going to pick them up. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: flatpak (Ubuntu Jammy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: flatpak (Ubuntu Mantic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-32462 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
I'm not working on the stable security updates now but I opened tasks for them in case someone else wants to contribute. ** Also affects: flatpak (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: flatpak (Ubuntu Mantic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
Covering just Noble isn't really enough with Mantic and Jammy still providing vulnerable packages according to the advisory listing affected versions as: - < 1.10.9 - 1.12.x < 1.12.9 - 1.14.x < 1.14.6 - 1.15.x < 1.15.8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
I'm manually closing the bug now since it was accepted into noble- proposed without a LP bug number. I'll watch to make sure it migrates to noble release https://launchpad.net/ubuntu/+source/flatpak/1.14.6-1 ** Changed in: flatpak (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** Changed in: flatpak (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** Tags added: noble upgrade-software-version ** Description changed: Upstream advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA- phv6-cpc2-2fgj If possible please sync 1.14.6-1 from Debian instead of backporting fixes. That version only fixes the security issue and one other high- visibility bug (app developer names showing in the CLI as though they were the app's name). + + https://github.com/flatpak/flatpak/compare/1.14.5...1.14.6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062406] Re: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88
** Changed in: flatpak (Ubuntu) Status: New => In Progress ** Changed in: flatpak (Ubuntu) Assignee: (unassigned) => Jeremy Bícha (jbicha) ** Changed in: flatpak (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062406 Title: CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
